"Millions of HP Devices Have 16 New Highly Serious UEFI Firmware Vulnerabilities"
Researchers at the firmware security company Binarly discovered 16 new high-severity flaws in multiple implementations of the Unified Extensible Firmware Interface (UEFI) firmware that impacts several HP corporate devices. The flaws discovered in HP's UEFI firmware were given CVSS ratings ranging from 7.5 to 8.8. Devices vulnerable to the flaws include HP laptops, desktops, Point-of-Sale (PoS) systems, and edge computing nodes. The exploitation of the disclosed vulnerabilities could allow attackers to perform privileged code execution in firmware and deliver persistent code capable of surviving operating system reinstallations and enabling the evasion of endpoint security solutions, Secure Boot, and Virtualization-Based Security (VBS) isolation. The most critical weaknesses are memory corruption vulnerabilities that exist in the firmware's System Management Mode (SMM). According to the researchers, most of these problems are repeated failures, some of which are caused by the codebase's complexity or outdated components. The new findings are significant as firmware has become an ever-growing attack surface for malicious actors to launch highly-targeted devastating attacks. This article continues to discuss the discovery of 16 new high-severity vulnerabilities in UEFI firmware impacting multiple HP enterprise devices, other recent findings of high-impact vulnerabilities in UEFI firmware, and the emergence of firmware as an ever-expanding attack surface for threat actors to execute catastrophic attacks.